
I am trying to improve the production environment on my website's server. I notice that many sites do not have an IP address that is directly accessible, yet it looks like my site's IP is accessible. For example:

[lucas]$ nslookup professionalSite.org

Non-authoritative answer:
Name:   professionalSite.org
Address: 192.12.345.102

[lucas]$ nslookup mySite.org

Non-authoritative answer:
Name:   mySite.org


In this example, when I enter the "192.12.345.102" IP (from professionalSite.org) into my browser, it is invalid. On my site, when I enter "" in my browser, it resolves to my site.

So, should I be concerned about serving incoming requests in this way? What are the pros and cons about the difference in "professionalSite.org" and "mySite.org"? How can I prevent requests directly to my static IP, similar to that of "professionalSite.org", above?


Here is a more concrete example:

[lucas]lucas$ nslookup craigslist.org

Non-authoritative answer:
Name:   craigslist.org

When I navigate to in my browser, I get a 404. But on my website, the site is served just fine. Why is this so? Is there an advantage to serving a 404 when the static IP is entered directly in the browser?

  • 335
  • 1
  • 3
  • 16
  • 3
    I don't understand. In neither case is the IP address being hidden. Without an IP address, how do you expect anything to communicate with your server? – EEAA Dec 07 '15 at 11:36
  • @EEAA My description was incorrect, but I just fixed it. Thanks for the feedback. To clarify, in one example, `nslookup craigslist.org` returns an ip address of ``, but when I navigate there in my browser, I get a 404. How can I do the same for my site? Can this be something that I can configure on a web server like nginx? – modulitos Dec 07 '15 at 11:59
  • 1
    Possibly cross-site duplicate [on webmasters.se](http://webmasters.stackexchange.com/questions/65349/should-a-website-be-directly-accessible-by-its-ip-address). – Reaces Dec 07 '15 at 12:11
  • @Reaces Thanks! That is a very thorough answer. I also found a solution to implement this on nginx here: http://serverfault.com/questions/675619/nginx-make-website-inaccessible-via-ip I am planning to leave this question up in case it helps others – modulitos Dec 07 '15 at 12:50

2 Answers2


I am really not sure what you mean by "hiding", but my guess is that what you mean is that you get a an error (e.g. 404) if you contact a site via the IP directly.

What happens here is the following: HTTP 1.1 is able to transmit the site name you want to contact for a request (unlike e.g. SSH), so you can run many domains with a single IP address. However, if you just use the IP to speak to the web server, it will have a default site (usually the first vhost defined) that will serve this request. Some sites define a specific vhost for this case that will always react with an error. This can be done for various reasons, especially on large sites run by many servers, but it will usually not have a large "security impact".

You can configure your web server to do the same, but if it only serves one site (yours), there is absolutely no security benefit if you do this - your site is exposed to exactly the same security risks if you speak to it only by its IP as if you use a domain name.

  • 97,248
  • 13
  • 177
  • 225

What you are seeing are the DNS records for your website. You cannot "hide" them, neither you would want to; they need to be publicly visible, or otherwise nobody will be able to visit your website through its URL (visitors would be only able to visit your site through its IP address).

  • 1,035
  • 11
  • 19
  • My question was poorly worded, but I just fixed it. Sorry for the trouble. I have added some clarification, so any further help would be appreciated. – modulitos Dec 07 '15 at 12:03